SSL(Secure Socket Layer) & TLS(Transport Layer Protocol) are two security protocols that allow you to encrypt & decrypt data sent over the internet. They are very useful if you run a web server on your Linux system. But TLS is more advanced than SSL and preferred version these days. However, you can setup TLS on your web server only if the underlying Linux system supports it. OpenSSL is the default library used by Linux systems to execute SSL/TLS protocols. In this article, we will learn how to check the supported TLS/SSL versions in Linux.
How to Check Supported TLS/SSL Version in Linux
OpenSSL library uses the master configuration file /etc/pki/tls/openssl.cnf to implement TLS/SSL protocols.
Here is the simple command to easily get a list of all SSL & TLS versions supported by your OpenSSL library.
$ openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3
The actual output of openssl ciphers contains all details of all the protocols supported by your library. We extract 2nd column from its output, sort it and remove duplicates from it, to get the final list.
For example, if the OpenSSL library installed on your Linux system does not support TLSv1.3, then the above command’s output will not display TLS v1.3 and your web servers running on this system will not be able to support TLS v1.3. As a result, your website itself will not be able to support TLS v1.3. In such cases, it is advisable to simply upgrade the OpenSSL library on your system to avail its latest features.
If you want to get a complete list of all protocols supported by your OpenSSL version, run the following command.
$ openssl ciphers -v | column -t
Check Supported TLS/SSL versions using NMAP
You can also check supported TLS/SSL versions using NMAP command. In this case, we scan the output of request sent to our web server hosted at www.fedingo.com.
$ nmap –script ssl-enum-ciphers -p 443 www.fedingo.com
This is useful if you want to get a list of all supported TLS/SSL versions from the client side, instead of from server-side as mentioned above.
Check Supported TLS/SSL versions using OpenSSL
We have already seen how to check supported TLS/SSL versions from server side. If you want to get the same information from client side, you need to use the following command. But unlike NMAP, which lists all supported protocols, with OpenSSL, you need to individually check if each protocol is supported or not. Here is the command to check if TLS 1.2 is supported or not.
$ openssl s_client -connect www.fedingo.com:443 -tls1_2
Similarly, here is the command to check if TLS v1.3 is supported or not.
$ openssl s_client -connect www.fedingo.com:443 -tls1_3 <<<"" 2>/dev/null | grep ^New
TLS v1.0
$ openssl s_client -connect www.fedingo.com:443 -tls1 <<<"" 2>/dev/null | grep ^New
It is useful to check the supported TLS/SSL versions from client side, if you need to make API calls or send requests to a website. It is also useful in case you want to process requests sent from a specific website. For example, if your website communicates with a payment processor, then you need to find out which protocols are supported on the payment processor’s website, so that you can also support them on your website.
In this guide, we have learnt how to find out which TLS/SSL versions are supported by your Linux system.
Also read:
How to Run Multiple Commands in Linux
How to Record & Replay Terminal Commands in Linux
How to Save All Terminal Output to File
How to Remove Startup Applications in Ubuntu
How to Do Port Forwarding in Raspberry Pi